You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@storm.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/01/21 22:36:39 UTC

[jira] [Commented] (STORM-349) (Security) ui actions should have nimbus like authroization

    [ https://issues.apache.org/jira/browse/STORM-349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15111334#comment-15111334 ] 

ASF GitHub Bot commented on STORM-349:
--------------------------------------

Github user jkaria commented on a diff in the pull request:

    https://github.com/apache/storm/pull/215#discussion_r50468175
  
    --- Diff: storm-core/src/clj/backtype/storm/ui/core.clj ---
    @@ -47,33 +52,19 @@
          [~nimbus-sym (*STORM-CONF* NIMBUS-HOST) (*STORM-CONF* NIMBUS-THRIFT-PORT)]
          ~@body))
     
    -(defn authorized-ui-user?
    -  [user conf topology-conf]
    -  (let [ui-users (concat (conf UI-USERS)
    -                         (conf NIMBUS-ADMINS)
    -                         (topology-conf UI-USERS)
    -                         (topology-conf TOPOLOGY-USERS))]
    -    (or (blank? (conf UI-FILTER))
    -        (and (not (blank? user))
    -          (some #(= % user) ui-users)))))
    -
    -(defn assert-authorized-ui-user
    -  [user conf topology-conf]
    -  (if (not (authorized-ui-user? user conf topology-conf))
    -    ;;TODO need a better exception here so the UI can appear better
    -    (throw (RuntimeException. (str "User " user " is not authorized.")))))
    -
    -(defn- ui-actions-enabled?
    -  []
    -  (= "true" (lower-case (*STORM-CONF* UI-ACTIONS-ENABLED))))
    --- End diff --
    
    with this change shouldn't the config line for this in defaults.yaml removed?
    
    ui.actions.enabled: true
    https://github.com/apache/storm/blob/master/conf/defaults.yaml#L87


> (Security) ui actions should have nimbus like authroization
> -----------------------------------------------------------
>
>                 Key: STORM-349
>                 URL: https://issues.apache.org/jira/browse/STORM-349
>             Project: Apache Storm
>          Issue Type: Bug
>          Components: storm-core
>            Reporter: Robert Joseph Evans
>            Assignee: Sriharsha Chintalapani
>              Labels: security
>             Fix For: 0.10.0
>
>
> The UI provides APIs to kill, rebalance, ... a topology.  For security we originally took the route to optionally disable these, but ideally the UI server would load an IAuthorizer instance like nimbus, and check if the user is allowed to perform that operation before doing it on behalf of the user.
> This should be fairly straight forward but may require some glue code like is being used in the drpc server for its web interface.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)